From 36ad3aa05d5213b2379f388ba61e095c2e4452ef Mon Sep 17 00:00:00 2001 From: Akash Mozumdar Date: Sat, 8 Dec 2018 23:23:23 -0500 Subject: [PATCH] update airnovel --- vnrhook/engine/engine.cc | 246 ++++++++++++++++++++++++++------------- 1 file changed, 167 insertions(+), 79 deletions(-) diff --git a/vnrhook/engine/engine.cc b/vnrhook/engine/engine.cc index 01bad0e..686a0eb 100644 --- a/vnrhook/engine/engine.cc +++ b/vnrhook/engine/engine.cc @@ -16242,94 +16242,183 @@ bool InsertAdobeAirHook() } /** -* Artikash 7/15/2018: Insert AIRNovel hook -* Sample game: https://vndb.org/v22252: /HQ-8*8:-8*14@130380:Adobe AIR.dll -* When entering this function, ecx points to a struct containing a pointer to the text along with info about the type of text -* ecx+8 is the (w)char(_t)* we want, ecx+14 is the int* that tells apart text types. - -Adobe AIR.dll+130300 - 55 - push ebp -Adobe AIR.dll+130301 - 8B EC - mov ebp,esp -Adobe AIR.dll+130303 - F2 0F10 05 5069C610 - movsd xmm0,["Adobe AIR.dll"+EE6950] { [-1.00] } -Adobe AIR.dll+13030B - 83 EC 0C - sub esp,0C { 12 } -Adobe AIR.dll+13030E - F2 0F10 4D 08 - movsd xmm1,[ebp+08] -Adobe AIR.dll+130313 - 66 0F2F C1 - comisd xmm0,xmm1 -Adobe AIR.dll+130317 - 72 05 - jb "Adobe AIR.dll"+13031E { ->Adobe AIR.dll+13031E } -Adobe AIR.dll+130319 - 83 CA FF - or edx,-01 { 255 } -Adobe AIR.dll+13031C - EB 32 - jmp "Adobe AIR.dll"+130350 { ->Adobe AIR.dll+130350 } -Adobe AIR.dll+13031E - 8B 51 10 - mov edx,[ecx+10] -Adobe AIR.dll+130321 - 66 0F6E C2 - movd xmm0,edx -Adobe AIR.dll+130325 - F3 0FE6 C0 - cvtdq2pd xmm0,xmm0 -Adobe AIR.dll+130329 - 66 0F2F C8 - comisd xmm1,xmm0 -Adobe AIR.dll+13032D - 73 21 - jae "Adobe AIR.dll"+130350 { ->Adobe AIR.dll+130350 } -Adobe AIR.dll+13032F - F2 0F11 4D F4 - movsd [ebp-0C],xmm1 -Adobe AIR.dll+130334 - 33 D2 - xor edx,edx; Safe to hook here! -Adobe AIR.dll+130336 - 8B 45 F8 - mov eax,[ebp-08] -Adobe AIR.dll+130339 - 25 FFFFFF7F - and eax,7FFFFFFF { 2147483647 } -Adobe AIR.dll+13033E - 3D 0000F07F - cmp eax,7FF00000 { 2146435072 } -Adobe AIR.dll+130343 - 77 0B - ja "Adobe AIR.dll"+130350 { ->Adobe AIR.dll+130350 } -Adobe AIR.dll+130345 - 72 05 - jb "Adobe AIR.dll"+13034C { ->Adobe AIR.dll+13034C } -Adobe AIR.dll+130347 - 39 55 F4 - cmp [ebp-0C],edx -Adobe AIR.dll+13034A - 77 04 - ja "Adobe AIR.dll"+130350 { ->Adobe AIR.dll+130350 } -Adobe AIR.dll+13034C - F2 0F2C D1 - cvttsd2si edx,xmm1 -Adobe AIR.dll+130350 - 8B 41 10 - mov eax,[ecx+10] -Adobe AIR.dll+130353 - 89 45 F8 - mov [ebp-08],eax -Adobe AIR.dll+130356 - 3B D0 - cmp edx,eax -Adobe AIR.dll+130358 - 73 51 - jae "Adobe AIR.dll"+1303AB { ->Adobe AIR.dll+1303AB } -Adobe AIR.dll+13035A - 89 55 FC - mov [ebp-04],edx -Adobe AIR.dll+13035D - 8B 45 F8 - mov eax,[ebp-08] -Adobe AIR.dll+130360 - 39 45 FC - cmp [ebp-04],eax -Adobe AIR.dll+130363 - 1B C0 - sbb eax,eax -Adobe AIR.dll+130365 - 21 45 FC - and [ebp-04],eax -Adobe AIR.dll+130368 - 8B 41 14 - mov eax,[ecx+14] -Adobe AIR.dll+13036B - C1 E8 02 - shr eax,02 { 2 } -Adobe AIR.dll+13036E - A8 01 - test al,01 { 1 } -Adobe AIR.dll+130370 - 75 05 - jne "Adobe AIR.dll"+130377 { ->Adobe AIR.dll+130377 } -Adobe AIR.dll+130372 - 8B 51 08 - mov edx,[ecx+08] // Address of text moved into edx here -Adobe AIR.dll+130375 - EB 09 - jmp "Adobe AIR.dll"+130380 { ->Adobe AIR.dll+130380 }; Unconditional jump to hook location -Adobe AIR.dll+130377 - 8B 41 0C - mov eax,[ecx+0C] -Adobe AIR.dll+13037A - 8B 50 08 - mov edx,[eax+08] -Adobe AIR.dll+13037D - 03 51 08 - add edx,[ecx+08] -Adobe AIR.dll+130380 - F6 41 14 01 - test byte ptr [ecx+14],01 { 1 }; Hook here also works -Adobe AIR.dll+130384 - 8B 45 FC - mov eax,[ebp-04] -Adobe AIR.dll+130387 - 75 06 - jne "Adobe AIR.dll"+13038F { ->Adobe AIR.dll+13038F } -Adobe AIR.dll+130389 - 0FB6 04 10 - movzx eax,byte ptr [eax+edx] -Adobe AIR.dll+13038D - EB 04 - jmp "Adobe AIR.dll"+130393 { ->Adobe AIR.dll+130393 } -Adobe AIR.dll+13038F - 0FB7 04 42 - movzx eax,word ptr [edx+eax*2] -Adobe AIR.dll+130393 - 66 0F6E C0 - movd xmm0,eax -Adobe AIR.dll+130397 - F3 0FE6 C0 - cvtdq2pd xmm0,xmm0 -Adobe AIR.dll+13039B - 89 0D 90F71311 - mov ["Adobe AIR.dll"+13BF790],ecx { [07EBDB80] } -Adobe AIR.dll+1303A1 - F2 0F11 45 F4 - movsd [ebp-0C],xmm0 -Adobe AIR.dll+1303A6 - DD 45 F4 - fld qword ptr [ebp-0C] -Adobe AIR.dll+1303A9 - EB 06 - jmp "Adobe AIR.dll"+1303B1 { ->Adobe AIR.dll+1303B1 } -Adobe AIR.dll+1303AB - DD 05 B8071411 - fld qword ptr ["Adobe AIR.dll"+13C07B8] { [Nan] } -Adobe AIR.dll+1303B1 - 8B E5 - mov esp,ebp -Adobe AIR.dll+1303B3 - 5D - pop ebp -Adobe AIR.dll+1303B4 - C2 0800 - ret 0008 { 8 } +* Artikash 12/8/2018: Update AIRNovel hook for version 31.0.0.96 +* Sample game: https://vndb.org/v22252: /HQ4*8:4*4@12FF9A:Adobe AIR.dll +* First function parameter points to a struct containing a pointer to the text along with info about the type of text +* wchar_t* at offset 8, good split parameter at offset 4 +Adobe AIR.dll+12FF9A - 51 - push ecx +Adobe AIR.dll+12FF9B - 53 - push ebx +Adobe AIR.dll+12FF9C - 55 - push ebp +Adobe AIR.dll+12FF9D - 56 - push esi +Adobe AIR.dll+12FF9E - 8B 74 24 14 - mov esi,[esp+14] +Adobe AIR.dll+12FFA2 - 8B E9 - mov ebp,ecx +Adobe AIR.dll+12FFA4 - 57 - push edi +Adobe AIR.dll+12FFA5 - 85 F6 - test esi,esi +Adobe AIR.dll+12FFA7 - 0F84 78010000 - je "Adobe AIR.dll"+130125 { ->Adobe AIR.dll+130125 } +Adobe AIR.dll+12FFAD - 8B 5E 10 - mov ebx,[esi+10] +Adobe AIR.dll+12FFB0 - 85 DB - test ebx,ebx +Adobe AIR.dll+12FFB2 - 0F84 6D010000 - je "Adobe AIR.dll"+130125 { ->Adobe AIR.dll+130125 } +Adobe AIR.dll+12FFB8 - 8B C6 - mov eax,esi +Adobe AIR.dll+12FFBA - 25 00F0FFFF - and eax,FFFFF000 { -4096 } +Adobe AIR.dll+12FFBF - 8B 40 08 - mov eax,[eax+08] +Adobe AIR.dll+12FFC2 - 89 44 24 10 - mov [esp+10],eax +Adobe AIR.dll+12FFC6 - 8B 46 14 - mov eax,[esi+14] +Adobe AIR.dll+12FFC9 - A8 01 - test al,01 { 1 } +Adobe AIR.dll+12FFCB - 0F85 D7000000 - jne "Adobe AIR.dll"+1300A8 { ->Adobe AIR.dll+1300A8 } +Adobe AIR.dll+12FFD1 - A8 08 - test al,08 { 8 } +Adobe AIR.dll+12FFD3 - 75 4A - jne "Adobe AIR.dll"+13001F { ->Adobe AIR.dll+13001F } +Adobe AIR.dll+12FFD5 - C1 E8 02 - shr eax,02 { 2 } +Adobe AIR.dll+12FFD8 - A8 01 - test al,01 { 1 } +Adobe AIR.dll+12FFDA - 75 05 - jne "Adobe AIR.dll"+12FFE1 { ->Adobe AIR.dll+12FFE1 } +Adobe AIR.dll+12FFDC - 8B 4E 08 - mov ecx,[esi+08] +Adobe AIR.dll+12FFDF - EB 09 - jmp "Adobe AIR.dll"+12FFEA { ->Adobe AIR.dll+12FFEA } +Adobe AIR.dll+12FFE1 - 8B 46 0C - mov eax,[esi+0C] +Adobe AIR.dll+12FFE4 - 8B 48 08 - mov ecx,[eax+08] +Adobe AIR.dll+12FFE7 - 03 4E 08 - add ecx,[esi+08] +Adobe AIR.dll+12FFEA - 89 35 9057BF10 - mov ["Adobe AIR.dll"+1385790],esi { [080D7CA0] } +Adobe AIR.dll+12FFF0 - 33 FF - xor edi,edi +Adobe AIR.dll+12FFF2 - 8B 56 10 - mov edx,[esi+10] +Adobe AIR.dll+12FFF5 - 85 D2 - test edx,edx +Adobe AIR.dll+12FFF7 - 74 12 - je "Adobe AIR.dll"+13000B { ->Adobe AIR.dll+13000B } +Adobe AIR.dll+12FFF9 - 8A 01 - mov al,[ecx] +Adobe AIR.dll+12FFFB - B4 7F - mov ah,7F { 127 } +Adobe AIR.dll+12FFFD - 41 - inc ecx +Adobe AIR.dll+12FFFE - 3A E0 - cmp ah,al +Adobe AIR.dll+130000 - 1B C0 - sbb eax,eax +Adobe AIR.dll+130002 - F7 D8 - neg eax +Adobe AIR.dll+130004 - 03 F8 - add edi,eax +Adobe AIR.dll+130006 - 83 EA 01 - sub edx,01 { 1 } +Adobe AIR.dll+130009 - 75 EE - jne "Adobe AIR.dll"+12FFF9 { ->Adobe AIR.dll+12FFF9 } +Adobe AIR.dll+13000B - 57 - push edi +Adobe AIR.dll+13000C - 53 - push ebx +Adobe AIR.dll+13000D - E8 36040900 - call "Adobe AIR.dll"+1C0448 { ->Adobe AIR.dll+1C0448 } +Adobe AIR.dll+130012 - 8B D8 - mov ebx,eax +Adobe AIR.dll+130014 - 59 - pop ecx +Adobe AIR.dll+130015 - 59 - pop ecx +Adobe AIR.dll+130016 - 3B 5E 10 - cmp ebx,[esi+10] +Adobe AIR.dll+130019 - 75 04 - jne "Adobe AIR.dll"+13001F { ->Adobe AIR.dll+13001F } +Adobe AIR.dll+13001B - 83 4E 14 08 - or dword ptr [esi+14],08 { 8 } +Adobe AIR.dll+13001F - 8B 4C 24 10 - mov ecx,[esp+10] +Adobe AIR.dll+130023 - 8D 43 01 - lea eax,[ebx+01] +Adobe AIR.dll+130026 - 6A 02 - push 02 { 2 } +Adobe AIR.dll+130028 - 6A 00 - push 00 { 0 } +Adobe AIR.dll+13002A - 50 - push eax +Adobe AIR.dll+13002B - E8 CD250B00 - call "Adobe AIR.dll"+1E25FD { ->Adobe AIR.dll+1E25FD } +Adobe AIR.dll+130030 - 8B 4E 14 - mov ecx,[esi+14] +Adobe AIR.dll+130033 - 8B F8 - mov edi,eax +Adobe AIR.dll+130035 - C1 E9 02 - shr ecx,02 { 2 } +Adobe AIR.dll+130038 - F6 C1 01 - test cl,01 { 1 } +Adobe AIR.dll+13003B - 75 05 - jne "Adobe AIR.dll"+130042 { ->Adobe AIR.dll+130042 } +Adobe AIR.dll+13003D - 8B 56 08 - mov edx,[esi+08] +Adobe AIR.dll+130040 - EB 09 - jmp "Adobe AIR.dll"+13004B { ->Adobe AIR.dll+13004B } +Adobe AIR.dll+130042 - 8B 46 0C - mov eax,[esi+0C] +Adobe AIR.dll+130045 - 8B 50 08 - mov edx,[eax+08] +Adobe AIR.dll+130048 - 03 56 08 - add edx,[esi+08] +Adobe AIR.dll+13004B - 89 35 9057BF10 - mov ["Adobe AIR.dll"+1385790],esi { [080D7CA0] } +Adobe AIR.dll+130051 - 89 7D 00 - mov [ebp+00],edi +Adobe AIR.dll+130054 - 89 5D 04 - mov [ebp+04],ebx +Adobe AIR.dll+130057 - 8B 76 10 - mov esi,[esi+10] +Adobe AIR.dll+13005A - 3B DE - cmp ebx,esi +Adobe AIR.dll+13005C - 75 14 - jne "Adobe AIR.dll"+130072 { ->Adobe AIR.dll+130072 } +Adobe AIR.dll+13005E - 53 - push ebx +Adobe AIR.dll+13005F - 52 - push edx +Adobe AIR.dll+130060 - 57 - push edi +Adobe AIR.dll+130061 - E8 3A715D00 - call "Adobe AIR.dll"+7071A0 { ->Adobe AIR.dll+7071A0 } +Adobe AIR.dll+130066 - 83 C4 0C - add esp,0C { 12 } +Adobe AIR.dll+130069 - C6 04 1F 00 - mov byte ptr [edi+ebx],00 { 0 } +Adobe AIR.dll+13006D - E9 BE000000 - jmp "Adobe AIR.dll"+130130 { ->Adobe AIR.dll+130130 } +Adobe AIR.dll+130072 - 85 F6 - test esi,esi +Adobe AIR.dll+130074 - 74 2A - je "Adobe AIR.dll"+1300A0 { ->Adobe AIR.dll+1300A0 } +Adobe AIR.dll+130076 - BB 80000000 - mov ebx,00000080 { 128 } +Adobe AIR.dll+13007B - 0FB6 0A - movzx ecx,byte ptr [edx] +Adobe AIR.dll+13007E - 4E - dec esi +Adobe AIR.dll+13007F - 42 - inc edx +Adobe AIR.dll+130080 - 66 3B CB - cmp cx,bx +Adobe AIR.dll+130083 - 72 14 - jb "Adobe AIR.dll"+130099 { ->Adobe AIR.dll+130099 } +Adobe AIR.dll+130085 - 8A C1 - mov al,cl +Adobe AIR.dll+130087 - 83 E1 3F - and ecx,3F { 63 } +Adobe AIR.dll+13008A - C0 E8 06 - shr al,06 { 6 } +Adobe AIR.dll+13008D - 24 03 - and al,03 { 3 } +Adobe AIR.dll+13008F - 2C 40 - sub al,40 { 64 } +Adobe AIR.dll+130091 - 88 07 - mov [edi],al +Adobe AIR.dll+130093 - 47 - inc edi +Adobe AIR.dll+130094 - 03 CB - add ecx,ebx +Adobe AIR.dll+130096 - 0FB7 C9 - movzx ecx,cx +Adobe AIR.dll+130099 - 88 0F - mov [edi],cl +Adobe AIR.dll+13009B - 47 - inc edi +Adobe AIR.dll+13009C - 85 F6 - test esi,esi +Adobe AIR.dll+13009E - 75 DB - jne "Adobe AIR.dll"+13007B { ->Adobe AIR.dll+13007B } +Adobe AIR.dll+1300A0 - C6 07 00 - mov byte ptr [edi],00 { 0 } +Adobe AIR.dll+1300A3 - E9 88000000 - jmp "Adobe AIR.dll"+130130 { ->Adobe AIR.dll+130130 } +Adobe AIR.dll+1300A8 - C1 E8 02 - shr eax,02 { 2 } +Adobe AIR.dll+1300AB - A8 01 - test al,01 { 1 } +Adobe AIR.dll+1300AD - 75 05 - jne "Adobe AIR.dll"+1300B4 { ->Adobe AIR.dll+1300B4 } +Adobe AIR.dll+1300AF - 8B 46 08 - mov eax,[esi+08] +Adobe AIR.dll+1300B2 - EB 09 - jmp "Adobe AIR.dll"+1300BD { ->Adobe AIR.dll+1300BD } +Adobe AIR.dll+1300B4 - 8B 46 0C - mov eax,[esi+0C] +Adobe AIR.dll+1300B7 - 8B 40 08 - mov eax,[eax+08] +Adobe AIR.dll+1300BA - 03 46 08 - add eax,[esi+08] +Adobe AIR.dll+1300BD - 6A 00 - push 00 { 0 } +Adobe AIR.dll+1300BF - 6A 00 - push 00 { 0 } +Adobe AIR.dll+1300C1 - 53 - push ebx +Adobe AIR.dll+1300C2 - 50 - push eax +Adobe AIR.dll+1300C3 - E8 A7730100 - call "Adobe AIR.dll"+14746F { ->Adobe AIR.dll+14746F } +Adobe AIR.dll+1300C8 - 83 C4 10 - add esp,10 { 16 } +Adobe AIR.dll+1300CB - 89 35 9057BF10 - mov ["Adobe AIR.dll"+1385790],esi { [080D7CA0] } +Adobe AIR.dll+1300D1 - 8B F8 - mov edi,eax +Adobe AIR.dll+1300D3 - 33 C0 - xor eax,eax +Adobe AIR.dll+1300D5 - 85 FF - test edi,edi +Adobe AIR.dll+1300D7 - 0F48 F8 - cmovs edi,eax +Adobe AIR.dll+1300DA - 6A 02 - push 02 { 2 } +Adobe AIR.dll+1300DC - 50 - push eax +Adobe AIR.dll+1300DD - 8D 4F 01 - lea ecx,[edi+01] +Adobe AIR.dll+1300E0 - 51 - push ecx +Adobe AIR.dll+1300E1 - 8B 4C 24 1C - mov ecx,[esp+1C] +Adobe AIR.dll+1300E5 - E8 13250B00 - call "Adobe AIR.dll"+1E25FD { ->Adobe AIR.dll+1E25FD } +Adobe AIR.dll+1300EA - 8B D0 - mov edx,eax +Adobe AIR.dll+1300EC - 89 7D 04 - mov [ebp+04],edi +Adobe AIR.dll+1300EF - 89 55 00 - mov [ebp+00],edx +Adobe AIR.dll+1300F2 - C6 04 3A 00 - mov byte ptr [edx+edi],00 { 0 } +Adobe AIR.dll+1300F6 - 8B 4E 14 - mov ecx,[esi+14] +Adobe AIR.dll+1300F9 - C1 E9 02 - shr ecx,02 { 2 } +Adobe AIR.dll+1300FC - F6 C1 01 - test cl,01 { 1 } +Adobe AIR.dll+1300FF - 75 05 - jne "Adobe AIR.dll"+130106 { ->Adobe AIR.dll+130106 } +Adobe AIR.dll+130101 - 8B 46 08 - mov eax,[esi+08] +Adobe AIR.dll+130104 - EB 09 - jmp "Adobe AIR.dll"+13010F { ->Adobe AIR.dll+13010F } +Adobe AIR.dll+130106 - 8B 46 0C - mov eax,[esi+0C] +Adobe AIR.dll+130109 - 8B 40 08 - mov eax,[eax+08] +Adobe AIR.dll+13010C - 03 46 08 - add eax,[esi+08] +Adobe AIR.dll+13010F - 57 - push edi +Adobe AIR.dll+130110 - 52 - push edx +Adobe AIR.dll+130111 - FF 76 10 - push [esi+10] +Adobe AIR.dll+130114 - 50 - push eax +Adobe AIR.dll+130115 - E8 55730100 - call "Adobe AIR.dll"+14746F { ->Adobe AIR.dll+14746F } +Adobe AIR.dll+13011A - 83 C4 10 - add esp,10 { 16 } +Adobe AIR.dll+13011D - 89 35 9057BF10 - mov ["Adobe AIR.dll"+1385790],esi { [080D7CA0] } +Adobe AIR.dll+130123 - EB 0B - jmp "Adobe AIR.dll"+130130 { ->Adobe AIR.dll+130130 } +Adobe AIR.dll+130125 - 83 65 04 00 - and dword ptr [ebp+04],00 { 0 } +Adobe AIR.dll+130129 - C7 45 00 20277210 - mov [ebp+00],"Adobe AIR.dll"+EB2720 { [00000000] } +Adobe AIR.dll+130130 - 5F - pop edi +Adobe AIR.dll+130131 - 5E - pop esi +Adobe AIR.dll+130132 - 8B C5 - mov eax,ebp +Adobe AIR.dll+130134 - 5D - pop ebp +Adobe AIR.dll+130135 - 5B - pop ebx +Adobe AIR.dll+130136 - 59 - pop ecx +Adobe AIR.dll+130137 - C2 0400 - ret 0004 { 4 } */ bool InsertAIRNovelHook() { if (DWORD base = (DWORD)GetModuleHandleW(L"Adobe Air.dll")) { - const BYTE bytes[] = - { - 0x33, 0xD2, //- xor edx,edx - 0x8B, 0x45, 0xF8, //- mov eax,[ebp - 08] - }; - DWORD addr = MemDbg::findBytes(bytes, sizeof(bytes), base, base + 0x200000); // Artikash 7/14/2018: Probably big enough - if (!addr) - { - ConsoleOutput("Textractor: AIRNovel: pattern not found"); - return false; - } HookParam hp = {}; - hp.address = addr; + hp.address = base + 0x12ff9a; hp.type = USING_UNICODE|USING_STRING|USING_SPLIT|SPLIT_INDIRECT|DATA_INDIRECT; hp.length_offset = 0; - hp.offset = pusha_ecx_off - 4; - hp.split = pusha_ecx_off - 4; + hp.offset = 0x4; + hp.split = 0x4; hp.index = 0x8; - hp.split_index = 0x14; + hp.split_index = 0x4; //hp.filter_fun = [](void* str, DWORD* len, HookParam* hp, BYTE index) // removes some of the garbage threads //{ // return *len < 4 && @@ -16346,7 +16435,6 @@ bool InsertAIRNovelHook() NewHook(hp, "AIRNovel"); return true; } - ConsoleOutput("Adobe Air.dll not found"); return false; }